Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2016-3183 Out-Of-Bounds Read in sycc422_to_rgb function #726

Closed
trylab opened this issue Mar 16, 2016 · 1 comment

Comments

Projects
None yet
3 participants
@trylab
Copy link
Contributor

commented Mar 16, 2016

AddressSanitizer error message.

==116421==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000018c00 
at pc 0x000000529f98 bp 0x7ffe75bda580 sp 0x7ffe75bda578
READ of size 4 at 0x633000018c00 thread T0
    #0 0x529f97 in sycc422_to_rgb openjpeg/src/bin/common/color.c:148:33
    #1 0x527625 in color_sycc_to_rgb openjpeg/src/bin/common/color.c:286:3
    #2 0x4f1f5b in main openjpeg/src/bin/jp2/opj_decompress.c:1375:4
    #3 0x7f14c593182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #4 0x41a978 in _start (openjpeg/bin/opj_decompress+0x41a978)

0x633000018c00 is located 0 bytes to the right of 99328-byte region [0x633000000800,0x633000018c00)
allocated by thread T0 here:
    #0 0x4bac30 in calloc (openjpeg/bin/opj_decompress+0x4bac30)
    #1 0x7f14c722d764 in opj_calloc openjpeg/src/lib/openjp2/opj_malloc.c:203:10
    #2 0x7f14c71a0e7a in opj_j2k_update_image_data openjpeg/src/lib/openjp2/j2k.c:8212:62
    #3 0x7f14c71a0886 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:9752:23
    #4 0x7f14c71693fd in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:7341:41
    #5 0x7f14c717c44e in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:9943:15
    #6 0x7f14c71d4356 in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:412:10
    #7 0x4f1627 in main openjpeg/src/bin/jp2/opj_decompress.c:1330:10
    #8 0x7f14c593182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow openjpeg/src/bin/common/color.c:148:33 in sycc422_to_rgb
Shadow bytes around the buggy address:
  0x0c667fffb130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb180:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb1a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==116421==ABORTING

Credit to Ke Liu of Tencent's Xuanwu LAB.

@boxerab

This comment has been minimized.

Copy link
Contributor

commented Mar 31, 2016

kdu_show crashes when trying to read this image.

mayeut added a commit to mayeut/openjpeg that referenced this issue Apr 21, 2016

Fix Out-Of-Bounds Read in sycc422_to_rgb function
422 Images with an odd x0 lead to subsampled component starting at the
2nd column.
That is offset = comp->dx * comp->x0 - image->x0 = 1

Update uclouvain#726

mayeut added a commit to mayeut/openjpeg that referenced this issue Apr 23, 2016

Fix Out-Of-Bounds Read in sycc42x_to_rgb function
42x Images with an odd x0/y0 lead to subsampled component starting at the
2nd column/line.
That is offset = comp->dx * comp->x0 - image->x0 = 1

Update uclouvain#726

mayeut added a commit to mayeut/openjpeg that referenced this issue Apr 25, 2016

Fix Out-Of-Bounds Read in sycc42x_to_rgb function
42x Images with an odd x0/y0 lead to subsampled component starting at the
2nd column/line.
That is offset = comp->dx * comp->x0 - image->x0 = 1

Update uclouvain#726

mayeut added a commit to mayeut/openjpeg that referenced this issue Apr 29, 2016

Fix Out-Of-Bounds Read in sycc42x_to_rgb function
42x Images with an odd x0/y0 lead to subsampled component starting at the
2nd column/line.
That is offset = comp->dx * comp->x0 - image->x0 = 1

Update uclouvain#726

@mayeut mayeut closed this in 15f081c Apr 29, 2016

@mayeut mayeut added this to the OPJ v2.1.1 milestone Apr 29, 2016

mayeut added a commit to mayeut/openjpeg-data that referenced this issue Apr 30, 2016

mayeut added a commit to mayeut/openjpeg that referenced this issue Apr 30, 2016

boxerab added a commit to GrokImageCompression/grok that referenced this issue May 1, 2016

@trylab trylab changed the title Out-Of-Bounds Read in sycc422_to_rgb function CVE-2016-3183 Out-Of-Bounds Read in sycc422_to_rgb function Sep 13, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.